Browser mixed content warning - what's the point?

I employ the开发者_如何学C Google maps API on my otherwise SSL-secured site. I invariably therefore get one of these terrible "mixed content" warnings pop up from my web app. This is annoying. I understand that this issue can be fixed when upon moving the app into production I sign up to a premier account with Google. Hurrah. I am just perplexed: the threat from Google to the integrity of my site remains the same whether I pull down their content over HTTP or HTTPS. What's the point, in other words, of browsers putting up this warning?

Thanks.

The threat from Google may remain the same, but when you're loading the Google content over http, it's not just threats from Google you need to worry about; you also need to worry about man-in-the-middle attacks, in which someone pretends to be Google and injects malicious content into your page. With the number of people who use untrusted or insecure wireless networks, it's not too hard to launch a man in the middle attack these days.

Also, https is supposed to protect information going in both directions. If there is content on the page not protected via https, but the user sees the https in the address and lock icon, they may believe that information they enter is secure from eavesdroppers, when in fact some of the information is transmitted in the clear.

the threat from Google to the integrity of my site remains the same whether I pull down their content over HTTP or HTTPS

I think you're using the wrong threat model here. The threat is not that google might act maliciously and send the wrong data to your users. Indeed, SSL would not protect against that.

The actual threat is that a man in the middle (between your users and google) could eavesdrop on the unprotected data to determine what your users are up to, or even modify the unprotected content in order to trick them.

It's the duty of the browser to somehow inform the user that such attacks are possible. Otherwise the user will incorrectly think that everything is secure because he entered an "https" address.

The reason this message exists is that any HTTPS connection is served via SSL, so the browser knows that the data coming in on it is indeed the exact data sent from the server.

This is not the case for any components that have been deliverd via HTTP - these can change components that have been delivered via SSL, so the guarantee that the HTTPS data is correct cannot be maintained.

That's why the warning comes up.